Card security in focus: what retailers need to know

The US's shift to EMV will provide the strongest security protections, and will also be a business and technology enabler, argues PCI SSC's international director, Jeremy King.

Published: 09:51:17 on the 16th Nov 2015Author: Ben Sillitoe

Share this post

In the second part of a series of Q&As with international director at PCI Security Standards Council (SSC), Jeremy King, Essential Retail gets the lowdown on global fraud, and what impact the US's migration to EMV will have on card fraud around the world.

ER: What impact will the US's EMV chip migration have on card fraud levels?

JK: The US is like all other countries that have migrated to EMV, there will be a significant drop in the face to face fraud. Which is good news globally. We are also very likely to see a drop in fraud abroad figures for most if not all of Europe as criminals will no longer be able to utilise cloned magnetic stripe data.

Unfortunately what then generally happens is the criminals changing tack and focusing their efforts on the next available target, which generally tends to be card not present fraud, or online/telephone and mobile transactions. This is where the criminals steal those cardholder data elements that allows them to commit fraud over the internet.

This hits home the need for multichannel protections and strategies for protecting payment data that includes EMV chip technology as one piece, but also focuses on added security for each part of the transaction process, such as adopting and implementing PCI approved Point 2 Point Encryption solutions. PCI Standards give businesses the framework for this layered approach that addresses not just technology, but people and processes too.

ER: Why has it taken the US so long to do this?

JK: For one simple reason the US market is far bigger than any other single market that has migrated to EMV. Europe migrated in many small steps as each country in turn moved forward. Furthermore the hardest and most time consuming aspect is not the issuing of chip cards or installing new EMV chip terminals, it is ensuring that all the systems for every merchant are correctly installed and working. That means an awful lot of visits, and PCI has been helping out EMVco here by providing support listing organisations approved to undertake this work. It was therefore essential that the US was certain all of this would work and would provide the benefits anticipated before migrating.

EMV chip technology has vastly improved since first used 20 years ago – just like PCI standards are constantly being reviewed and improved. While the US is a late adopter compared to Europe and other parts of the world, it will benefit from getting the latest and greatest EMV chip technology as well as the very latest PCI PTS approved EMV chip terminals. With this technology in place, the US is also in a much better position to accept the newest type of transaction technology, such contactless NFC payments, which are predicted to hit more than $700 billion globally by 2017. So not only does the shift provide the strongest security protections, it also is a business and technology enabler.

ER: Which regions can be best commended in terms of their attempts to tackle card fraud, and likewise where is there still the most work to be done?

JK: Each country and part of the world has its own set of challenges when it comes to securing payment transactions, but every region is having to come to terms with the real threat of cybercrime and how to defend against it. Since the introduction of PCI DSS in 2006 we are now seeing that organisations are no longer storing cardholder data, and increasingly if they do have to store cardholder data, that data is encrypted. However this still leaves data in transit, and this is a target for criminals. In addition we are increasingly seeing criminals targeting personal information.

Data security throughout Europe is gaining attention due to an increase in high-profile breaches, record high levels of card-not-present (CNP) fraud and pending legislation from the European Central Bank requiring businesses to demonstrate how they are protecting sensitive consumer information. While there has been much recent attention on the US given a number of high profile breaches, with the proposed EU Data Protection Directive all breaches will have to be disclosed. This will give the appearance that there is a spike in data breaches in Europe, when in reality it's just that more information will be available about breaches that have occurred. For companies that are not yet serious about security this could be a real wake-up call. Organisations need to know these regulations are coming and put a plan in place for ongoing security.

ER: What’s the biggest cost to retailers when they are breached? Financial or reputational?

JK: The simple answer is both. There are many costs to a retailer when they are breached and largely depends on the size of the breach and how quickly and effectively the organisation detects and react to the breach. We do know that organisations that have an incident response plan in place fare better than those organisations that not. There are additional advantages too, and not just in security, but also when it comes to the bottom line. Research shows that having an incident response team in place can provide significant savings.

Being prepared is the best way forward. PCI recently released a document called "Responding to a Data Breach" which provides organisations a roadmap to create their own data breach response plan.

Unfortunately a lot of retailers still think it won't happen to them and don't have a plan in place. Retailers need to take security seriously, address these issues head-on and adopt good data security practices starting with their own board and rolling out across every level.

ER: Global card fraud in 2016: what will be the major issues to address?

JK: The biggest priority going into 2016 is combatting the mindset that security is a single point in time activity. The ongoing security of all customer data and especially cardholder data should be the driving objective behind a continuous security process based upon the sound requirements of the PCI DSS standard. We encourage retailers to emphasise security, not just compliance and to build a culture of security and allow compliance to be achieved as a consequence.

Another key mission for retailers in 2016 is to devalue cardholder data at the soonest possible moment it enters their environment. We know that as new payment models emerge, we’ve got to make multichannel security a priority, so that however and wherever data is being processed and stored it's protected. PCI Standards provide these protections. Combined with EMV chip at the PoS, point-to-point encryption and tokenisation technologies bundled properly, you can devalue the data so it's useless in the hands of criminals. That is the endgame.

These issues and many more will be driving presentations, conversations and discussions from security experts, merchants, banks and the PCI SSC at this week's PCI Security Standards Council European Community Meeting in Nice, France.